Java 仅在JWT令牌中添加附加信息,而不在OAuth2令牌中添加附加信息
在我的Spring boot应用程序中,我试图配置Oauth2和JWT,它可以正常工作,但我想隐藏Oauth2令牌中的附加信息,因为它们是纯文本的,相同的信息在JWT令牌中重复 这是我的Oauth2ServerConfig:Java 仅在JWT令牌中添加附加信息,而不在OAuth2令牌中添加附加信息,java,spring-boot,spring-security,jwt,spring-security-oauth2,Java,Spring Boot,Spring Security,Jwt,Spring Security Oauth2,在我的Spring boot应用程序中,我试图配置Oauth2和JWT,它可以正常工作,但我想隐藏Oauth2令牌中的附加信息,因为它们是纯文本的,相同的信息在JWT令牌中重复 这是我的Oauth2ServerConfig: @Configuration public class OAuth2ServerConfiguration { @Configuration @EnableAuthorizationServer protec
@Configuration
public class OAuth2ServerConfiguration {
@Configuration
@EnableAuthorizationServer
protected static class AuthorizationServerConfiguration extends AuthorizationServerConfigurerAdapter {
private final AuthenticationManager authenticationManager;
private final OAuth2ApprovalRepository oAuth2ApprovalRepository;
private final OAuth2CodeRepository oAuth2CodeRepository;
private final OAuth2ClientDetailsRepository oAuth2ClientDetailsRepository;
public AuthorizationServerConfiguration(@Qualifier("authenticationManagerBean") AuthenticationManager authenticationManager) {
this.authenticationManager = authenticationManager;
}
@Bean
public ApprovalStore approvalStore() {
return new MyDBApprovalStore(oAuth2ApprovalRepository);
}
@Bean
protected AuthorizationCodeServices authorizationCodeServices() {
return new MyDBAuthorizationCodeServices(oAuth2CodeRepository);
}
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer(), accessTokenConverter()));
endpoints.authorizationCodeServices(authorizationCodeServices())
.approvalStore(approvalStore())
.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.authenticationManager(authenticationManager);
}
@Bean
public TokenEnhancer tokenEnhancer() {
return new CustomTokenEnhancer();
}
@Bean
public TokenStore tokenStore() {
return new JwtTokenStore(accessTokenConverter());
}
@Bean
public JwtAccessTokenConverter accessTokenConverter() {
JwtAccessTokenConverter converter = new JwtAccessTokenConverter();
converter.setSigningKey("123");
return converter;
}
@Override
public void configure(ClientDetailsServiceConfigurer clients) throws Exception {
clients.withClientDetails(new MyClientDetailsService(oAuth2ClientDetailsRepository));
}
}
}
和我的自定义信息添加:
public class CustomTokenEnhancer implements TokenEnhancer {
@Override
public OAuth2AccessToken enhance(OAuth2AccessToken accessToken, OAuth2Authentication authentication) {
Map<String, Object> additionalInfo = new HashMap<>();
additionalInfo.put("organizationId", "123");
((DefaultOAuth2AccessToken) accessToken).setAdditionalInformation(additionalInfo);
return accessToken;
}
}
}
我不想将此令牌的组织ID暴露给外部世界,只想将此信息编码在JWT令牌(access_令牌)中
如何使用Spring Boot、OAuth2、JWT实现它?如果连接是通过HTTPS(应该是这样)实现的,那么信息将不会暴露给外部世界(只有请求它的客户端)
在任何情况下,您拥有的访问令牌都只是一个JWS(未加密),因此如果您将其放入其中,信息不会被隐藏(它只是Base64编码的)。我在这里找到了一个解决方案: 我还更改了配置方法
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer()));
endpoints
.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.reuseRefreshTokens(false)
.userDetailsService(userDetailsService)
.authenticationManager(authenticationManager);
}
问题是我们正在添加更多信息,而响应不断增长,因为附加信息会重复,即在令牌和响应中。。。有没有办法将其从响应中删除?问题是,浏览器中的恶意代码可能会修改这些附加信息(例如,在上述情况下,organizationId为444),而编码令牌中的organizationId仍然为123,并且为了方便起见,开发人员正在使用公开的数据而不是令牌中的值,以便从后端服务获取一些详细信息
@Override
public void configure(AuthorizationServerEndpointsConfigurer endpoints) throws Exception {
TokenEnhancerChain tokenEnhancerChain = new TokenEnhancerChain();
tokenEnhancerChain.setTokenEnhancers(Arrays.asList(tokenEnhancer()));
endpoints
.tokenStore(tokenStore())
.tokenEnhancer(tokenEnhancerChain)
.reuseRefreshTokens(false)
.userDetailsService(userDetailsService)
.authenticationManager(authenticationManager);
}